CertMain Menu

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Overview

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Office, Works Suite, Visual Basic for Applications, and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

The update for MS06-040 addresses a critical vulnerability in the Windows Server service (VU#650769). We have received reports of active exploitation of this vulnerability.

Microsoft Internet Explorer contains a cross-domain vulnerability in how it handles redirected object data. This could allow an attacker to access the content of a web page in a different domain.
(CVE-2006-3280)

An exception handling vulnerability in the Microsoft Windows kernel may allow a remote attacker to execute arbitrary code.
(CVE-2006-3648)

Impact

A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service.

Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the August 2006 Security Bulletins.

When prioritizing updates, it is strongly encouraged to apply the update for MS06-040 (VU#650769) first.

Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Microsoft Office 2000 updates are available on the Microsoft Office Update site. Apple Mac OS X users should obtain updates from the Mactopia web site.

System administrators may wish to consider using Windows Server Update Services (WSUS).